Remove client roles containing slash using Admin Client/Admin REST API
by Erdal, Jonatan
Hi,
We are working on automatically removing client roles from one of our clients, but are struggeling with roles containing a slash, /.
Currently we are using the Keycloak Admin Client library for Java, org.keycloak.admin.client. To be more precise, we use the ClientResource to fetch the RolesResource, and we then use the method deleteRole(String rolename) ;
* clientResource.roles().deleteRole(roleName)
We have tried both with and without URL Encoding (UTF-8). It works perfectly fine for roles not containing slash.
Example of role not working :
* test/role
Example of role working:
* test_role
We have also tried using the Admin REST API to remove the roles, but with the same result.
DELETE /admin/realms/{realm}/clients/{id}/roles/{role-name}
Both methods (Admin client and Admin REST API) returns status 404 for role test/test. Both methods works for other roles, such as test_test.
Does anyone know if it is possible to somehow remove roles containing slash without having to go to the admin console?
Thanks in advance!
//Jonatan
________________________________
Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
6 years, 2 months
Authentication (Node.JS) Microservice to pass User x.509 certificate to Keycloak
by Daniel Scheiner
Hi!
I am currently trying to have a Node.JS application between the User and Keycloak.
Keycloak is running in a Docker container (with the option "-e PROXY_ADDRESS_FORWARDING=true").
The Node.JS microservice connects to Keycloak via HTTPS and wants to offer the User x.509 certificate.
How do I have to configure Keycloak (Docker image) to accept the user cert?
- certificate is PEM
- we have a CA set up and can provide the ca-chain
- Node.JS currently tries connecting via 'isomorphic-fetch' and passing cert in headers...
All I get so far with headers:
- SSL_CLIENT_CERT
- X-Client-Certificate
- USER_CERT
- javax.servlet.request.X509Certificate
--> { error_description: 'X509 client certificate is missing.', error: 'invalid_request' }
Thank you sincerely!
Daniel
6 years, 2 months
Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names
by Niels Bertram
Hi there,
we have a requirement to set the jndi datasource name on a UserFederation
provider when added to a realm to support connecting different realms in
the same Keycloak server to different databases. Been through the examples
and read a few emails from around 2016 in the developer list but do not
find anyone who'd actually done this before. we could create a user managed
EntityManagerFactory within the federation provider factory but the
question is then how can we inject it into the container context and enlist
our transactions in the JTA?
Has anyone ever had to implement something like that?
Cheers,
NIels
6 years, 2 months
Get federated roles in user federation provider or authenticator
by Juan Pablo Perata
Hi all,
I would like to ask if there is a way to get "federated roles" in a custom
authenticator or custom user federation provider?
I found that defining my own UserAdapter which extends
AbstracrUserAdapterFederatedStorage, there is a method which can be
overrided named "Set<RoleModel> getRoleMappingsInternal()".
I tried to create a role mapping and populate that set with the roles the
user has (in external database). Although, when I receive the security
context in my client application, the roles are missing (I only see some
realm default roles I created in the realm).
I take a step further and tried to debug the code and reached to the point
when the role assignation is done, and the roles I define are obtained from
the user adapter, but then the roles which remain are the only which are
defined in Keycloak. Is my assumption right?
Is there a way to get what I need? Or I need to define each role in
Keycloak as well?
My user federation provider is a read only provider to the external
database and the intention was to not maintain duplicated configuration.
Any help is appreciated.
Kind regards,
Juan
6 years, 2 months
Why doesn't the login module get called on Wildfly with Keycloak?
by Linda Sauder
We have a Wildfly 10 AS, and we have the Keycloak 4.1 SAML Adapter installed according to the description in §3.1.2 of the Keycloak documentation<https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-w...>
That means, our standalone.xml has
· loaded the org.keycloak.keycloak-saml-adapter-subsystem extension
· added the urn:jboss:domain:keycloak-saml:1.1 subsystem to our server's profile
· defined a security domain (although in our case it's not called keycloak)
· defined org.keycloak.adapters.jboss.KeycloakLoginModule as a <login-module> on that domain
Furthermore, we have an Application.war, which
· contains some HTML to deliver
· has a keycloak-saml.xml
· has a jboss-web.xml, configuring the deployment's security-domain to the one defined in standalone.xml
· has a web.xml which sets the auth-method configured to KEYCLOAK-SAML
And yet, the login module never gets called. Why?
Is there any logging we can enable to shed more light? Any places in undertow, picketlink, or picketbox to set breakpoints?
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
6 years, 2 months
problem with nginx reverse proxy and ip access control
by Derek Gibson
Hi there,
I'm having a hard time trying to get ip restriction working behind an nginx reverse proxy on Keycloak 4.3
I have configured an ip filter as per https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction <https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction>
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" proxy-address-forwarding="true" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="ipAccess"/>
</host>
</server>
<filters>
<expression-filter name="ipAccess" expression="path-prefix('/auth/admin') -> ip-access-control(acl={'10.10.10.10 allow'})"/>
</filters>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
and my nginx server block
server {
listen 443 ssl;
server_name keycloak.example.com <http://keycloak.example.com/>;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://keycloak-prx.example.com <https://keycloak-prx.example.com/>;
}
}
This works as intended when I request it directly, however when I try to access via nginx reverse proxy I get a 403 regardless of the ip I set in the ip-access-control filter, whether I have the host ip, or the proxy or gateway.
Undertow debug shows that the correct ip's (as far as I understand that it should be) are being passed by nginx
10:03:29,564 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth for path /auth/
10:03:29,565 DEBUG [io.undertow.request.security] (default task-3) Authentication result was ATTEMPTED for HttpServerExchange{ GET /auth/ request {X-Real-IP=[10.10.10.20], accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], X-Amzn-Trace-Id=[Root=1-5b9b8771-70fa72df4ef4bf816434fcc5], accept-language=[en-US,en;q=0.9], accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36], Connection=[close], X-Forwarded-Proto=[https], X-Forwarded-Port=[443], X-Forwarded-For=[10.10.10.10, 10.10.10.20], cookie=[_ga=GA1.2.1510178336.1525250562; ajs_user_id=%22ca89cde3-6cac-4197-a5ad-aa966295c66d%22; ajs_anonymous_id=%2228cb540a-cb21-4200-a531-64b11ef909d8%22; ajs_group_id=%22customer%3A1%22], upgrade-insecure-requests=[1], Host=[keycloak.example.com <http://keycloak.example.com/>]} response {}}
but I do not get any debug logs for matches for /auth/admin, I only get an entry
09:42:47,387 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth/admin for path /auth/admin/
and no subsequent security logs for that request
Have I misconfigured something or could this be a bug?
Is there any steps that I can take to debug this further?
my debug settings are
<subsystem xmlns="urn:jboss:domain:logging:3.0">
<console-handler name="CONSOLE">
<level name="DEBUG"/>
<formatter>
<named-formatter name="COLOR-PATTERN"/>
</formatter>
</console-handler>
...
<logger category="io.undertow">
<level name="DEBUG"/>
</logger>
...
</subsystem>
all else is INFO
Would really appreciate any help at all on this
thanks
Derek
6 years, 2 months
Securing keycloak
by GARDAIS Ionel
Hi list,
Beside /auth/admin, are there any other URI that should be secured/restricted to limit attack surface for a public facing keycloak ?
By the way, could it be useful to add a dedicated configuration entry directly inside keycloak to restrict IPs allowed to make to low-level actions ?
Thanks,
Ionel
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
6 years, 2 months
